This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: Leo Reyzin. Notes for BU CAS CS 538. 1 5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA 5.1 Public Key vs. Symmetric Encryption In the encryption we’ve been doing so far, the sender and the recipient needed to preagree on a key. This is traditionally called “symmetric” or “secret-key” encryption. The idea of public key encryption is that I can walk into a room, announce my key, and everybody in the room can send secret messages to me by simply shouting them out so that everyone can hear them. In other words, we can communicate secretly by publishing messages for everyone to see, even if we never pre-agreed on a shared secret value unknown to others. This sounds impossible, but can actually be done. The idea was first proposed by Diffie and Hellman [DH76]. 5.2 Public Key Encryption Using the Squaring Function First Attempt We know that squaring modulo n = pq is easy, while taking square roots is hard (as hard as factoring n ). On the other hand, taking square roots modulo p and modulo q is easy, and so is recombining them using the Chinese Remainder Theorem. So this gives us an idea for the public-key encryption scheme. Let p = q be two primes, n = pq , p ≡ q ≡ 3 (mod 4). Let the public key PK be n , and the secret key SK be ( p,q ). For m ∈ QR n , define the encryption of m as c = m 2 mod n . Note that if you just see c,n , it’s hard to find m , because it’s hard to find square roots (as we proved last time). However, if you know p and q , you can take the square root of c modulo p and modulo q (as shown on HW2), and combine them using Chinese Remainder Theorem to get back m . Note that you have to make sure that you take the square roots that are themselves squares, in order to get m and not one of the other three roots of c . This scheme can only encrypt messages in QR n (otherwise you don’t get unique decryption, because you don’t know which of the four square roots to take). While it is believed to be hard to find out whether m ∈ QR n without knowing SK, there are various tricks to get around this problem and get unique decryption for all m . We won’t discuss them here. The idea of using modular squaring in this way is due to Michael Rabin [Rab79], and the squaring function modulo n is often called the Rabin function . Why the First Attempt Isn’t Secure Note that if the adversary knows that m is small (less than √ n ), then c is just m 2 , and m can be found by simply taking the integer square root of c . In addition, this encryption scheme cannot be used to encrypt the same message twice, because the adversary will be able to tell that two ciphertexts are the same. Nor can it securely encrypt two messages whose ratio is known....
View Full Document
This document was uploaded on 02/27/2012.
- Spring '09